How to capture filename (path) for NFSv4 traffic using tshark

Im using tshark to detect the most called files by specifics nfs.procedure_v3 (my capture filter for read,write getattr ...) by analyzing the amount of Fields like nfs.fattr3.fileid (inode) and nfs.fattr3.fsid. How to make it for NFSv4 which should be able to display filename and even path directly in packets. Thank you.

1 Answer

How to make it for NFSv4 which should be able to display filename and even path directly in packets.

Not in, for example, a packet where the COMPOUND call includes a READ operation but not an OPEN operation; a READ request has just a stateid4, an offset, and a count, and the reply just contains a status and, on success, the data being read - there are no pathnames in a READ request or reply.

The best Wireshark can do is "file name snooping", which is enabled by the "Snoop FH to filename mappings" preference. and "full file name snooping", which tries to get full pathnames, not just component names, and is enabled by the "Snoop full path to filenames" preference. Those forms of snooping work for NFSv2, NFSv3, and NFSv4. They are not enabled by default, so you will have to enable them yourself, by either:

running Wireshark, changing them through the GUI, and saving the preferences, so that TShark will pick up those preferences;

manually editing the Wireshark preferences file to set nfs.file_name_snooping and nfs.file_full_name_snooping to TRUE;

running TShark with the command line options -o nfs.file_name_snooping:true and -o nfs.file_full_name_snooping:true to turn those preferences on for that particular instance of TShark.